Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 18 Sep 2015 15:08:42 -0400 (EDT)
From: cve-assign@...re.org
To: dblack@...assian.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request - ldapauth-fork versions < 2.3.3 are vulnerable to ldap injection.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://github.com/vesse/node-ldapauth-fork/issues/21
> https://github.com/vesse/node-ldapauth-fork/commit/3feea43e243698bcaeffa904a7324f4d96df60e4

Use CVE-2015-7294.

The existence of a fork does not, by itself, lead to use of multiple CVE IDs.
The CVE ID is for the vulnerability in the shared codebase, regardless of the
product names in which that codebase is used.

https://github.com/vesse/node-ldapauth-fork/issues/21#issuecomment-108186158
has comments from the vendor about possible mitigating factors. Given
those comments, is the most straightforward threat that the attacker
may be able to arrange for a search result to be exactly one username,
and may not know the complete username in advance but may know the
password in advance?

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJV/GBEAAoJEL54rhJi8gl5qTkQALTFcRFrbVujYJ0j5F5U7eez
VTjP+3aTDRicGNy1+SCXQr8Txg7RdfA8YuJ3n+8k6uBdZAIHRJb6q8SPHRwLq/c2
LISeI7kPaQuOc0MaOAMRKCNyp1WkA0KnDqixSUe27UjY5wTaDcMaoQ7xGAws+2vp
Gh4jL9XtTbj3V0A1MrL5flFQ1VwgX6IhKFCsPkBxaWQgOhdHbROe4TQ1u7gPwfhf
TRLXnGEbwJa4rEPKWimUkZMsbDv+t024C0HbtsphGoeXno4K1uZDs8arHqk8Cg7M
Ub+051LfB90S/R0Xv7IrfbGSZzp8r0VxZTuVvrvtMCNjGb8SvRekk6GzHtlfLLfw
5ukBA3u6p2z8nqhgArmbUnlJXFzWfSe8ET14JaCVzakr20OdeK8e1k6ywOZ7dukT
VMqPSPmZ0F00uhdeL5Ft0FoOwim/XaSSYtvLms6lOmWqUqSUAiyKi5qQLFX4UIV7
I/uvFui0uHFs7nHKRurFmcXy9vs09F0h8KM3BqlJ4wibh5AJLaKyiblFI23fay4h
JFGO3L6/mYexY2mh3udPpc/nzCaEs2TueVU39SPZU/l+bAJ+rSP28LW+kXAyDIeF
zuxuajTc+1CyPjfgp2Amrq7UOLfhaXzkB1AFg+xWLo9HbguuJ6jFhbieu7vys6f7
GRV+0Rz2PIWMV/uTW6VS
=bgV0
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.